b"Office of Audits\nReport No. AUD-11-005\n\n\nThe FDIC\xe2\x80\x99s Franchise Marketing of\nAmTrust Bank\n\n\n\n\n                                    March 2011\n\x0c                                          Executive Summary\n\n                                          The FDIC\xe2\x80\x99s Franchise Marketing of AmTrust\n                                          Bank\n                                                                                                Report No. AUD-11-005\n                                                                                                           March 2011\n\nWhy We Did the Audit\nA key aspect of the FDIC mission is to plan and effectively handle the resolution of failing FDIC-insured\ninstitutions and to provide prompt, responsive, and efficient administration of failed financial institutions\nto ensure that insured depositors are protected and to minimize losses to the Deposit Insurance Fund\n(DIF). The FDIC Board of Directors has delegated significant authority to the Director, Division of\nResolutions and Receiverships (DRR), to conduct the activities required to resolve a failing institution in\nthe least costly manner and manage the resulting receivership. To minimize the negative financial effects\nof failing and failed insured financial institutions on the DIF, DRR resolves institutions using the least\ncostly resolution method. Further, DRR is to resolve the troubled institution and sell assets in the manner\nthat results in the least cost and highest recovery to the FDIC\xe2\x80\x99s insurance funds and other creditors of the\nfailed institution.\n\nThe FDIC\xe2\x80\x99s Office of Inspector General (OIG) contracted with BDO USA, LLP (BDO) to conduct an\naudit of the FDIC\xe2\x80\x99s franchise marketing of AmTrust Bank, Cleveland, Ohio. The objective of this\nperformance audit was to assess the FDIC\xe2\x80\x99s franchise marketing process for AmTrust Bank. We selected\nAmTrust Bank for the audit because AmTrust was a large bank that failed toward the end of 2010, and the\nFDIC received bids to acquire the bank from multiple institutions.\n\nBackground\nOn June 23, 2009, the FDIC Board of Directors approved a failing bank case for AmTrust Bank. On\nDecember 4, 2009, the Office of Thrift Supervision closed AmTrust Bank, a federally chartered thrift\ninstitution established in 1921, and appointed the FDIC receiver. At closing, AmTrust Bank had a total of\n66 branches in Ohio, Florida, and Arizona; total assets of approximately $13.0 billion; and total deposits\nof approximately $8.3 billion. Prior to the bank closing, the Director, DRR, approved a Purchase and\nAssumption (P&A) Agreement, including loss sharing,1 with New York Community Bank (NYCB),\nWestbury, New York, as the least costly transaction on November 25, 2009. The NYCB bid was\ncompared to the liquidation cost of AmTrust Bank as well as to 13 other bids to determine the least costly\nresolution. The DRR analysis of the bids ranged from a $2.2 billion cost to the DIF to over $5 billion.\n\nUnder the P&A Agreement, NYCB assumed all of the deposits of AmTrust Bank and purchased, at a\ndiscount, AmTrust Bank assets with a book value of about $9.2 billion. The P&A Agreement included a\nloss-share transaction on approximately $6.3 billion of the $9.2 billion in assets purchased by NYCB. In\naddition, the FDIC acquired a value appreciation instrument,2 valued at $10.7 million, and transferred to\nNYCB all qualified financial contracts to which AmTrust Bank was a party. The FDIC estimated that the\ncosts of the NYCB acquisition to the DIF would be approximately $1.6 billion less than if the bank had\nbeen liquidated, meaning that the FDIC makes a payout to all insured depositors and liquidates the assets\ntaken into receivership. The FDIC retained approximately $3.8 billion of assets, consisting mainly of\nacquisition, development, and construction loans and non-performing loans for later disposition. The\nFDIC estimated that the cost of AmTrust Bank\xe2\x80\x99s failure to the DIF would be $2.2 billion.\n\n\n1\n  Under loss sharing agreements, the FDIC agrees to absorb a portion of the loss on a specified pool of assets, purchased\nby an acquiring institution from a failed bank, in order to maximize asset recoveries and minimize FDIC losses by\nkeeping the assets in the private sector. The agreements are also intended to minimize disruption of loan customers.\n2\n  A debt or equity instrument or obligation issued by an entity that entitles its holders to receive payments that depend\nprimarily on the stock price of the entity.\n\n\n\n\n                             To view the full report, go to www.fdicig.gov/2011reports.asp\n\x0c    Executive Summary\n                                          The FDIC\xe2\x80\x99s Franchise Marketing of AmTrust\n                                          Bank\n                                                                                               Report No. AUD-11-005\n                                                                                                          March 2011\n\n\nAudit Results\nOverall, BDO concluded that the franchise marketing process for AmTrust Bank was completed in\naccordance with the FDIC\xe2\x80\x99s resolution policies, procedures, and guidelines for the franchise marketing of\nfailed banks. BDO found that the FDIC had implemented controls designed to ensure that the resolution\nof AmTrust Bank was managed effectively and potential losses to the DIF were minimized for AmTrust\nBank\xe2\x80\x99s failure. While these controls are positive, BDO also found that updated and additional internal\ncontrol procedures and certain control enhancements are warranted. Specifically, DRR\xe2\x80\x99s Resolutions\nPolicy Manual and the Least Cost Test Manual contain outdated information, and certain control\nprocedures were not followed in marketing AmTrust Bank. As a result, estimated liquidation costs for\nAmTrust Bank were understated due to errors that had not been detected in the estimation process. While\nthe understatement of estimated liquidation costs could impact the determination of the least costly\nresolution and bid decision, in this case, the winning bid was significantly below the estimated liquidation\ncost, and there was no impact on the outcome of the bidding. Importantly, however, the nature of the\nerrors made in estimating the liquidation costs could have impacted the bidding process if a misstatement\nof the costs was not detected and resulted in selecting other than the least costly option. BDO also found\nthat documentation of the bidding and least cost resolution determination processes needed improvement.\nFurther, information security controls for the Least Cost Test (LCT) Model3 and segregation of duties in\nthe least cost determination process were inadequate to ensure the confidentiality and integrity of related\ninformation. Improvements are also needed to ensure that valuation contractors use approved\nmethodologies and assumptions for the valuation analysis. Finally, the FDIC\xe2\x80\x99s Division of\nAdministration (DOA) could not provide evidence of confidentiality agreements for some of the\ncontractors processing information related to the franchise marketing process for AmTrust Bank.\n\nTaken together, these deficiencies can lead to (1) increased cost to the DIF as a result of erroneous or\nincomplete information being used for decision-making in the franchise marketing process, and\n(2) inconsistent or unfair treatment of bidders. Control deficiencies in information security and contractor\noversight related to the failing bank marketing process and failing bank data also make the FDIC\nvulnerable to data confidentiality and integrity problems.\n\nDuring and subsequent to the performance of our audit, DRR began remediating some of the findings\ndiscussed in this report. Specifically, the DRR Resolutions Policy Manual, job aids, and instructions to\nasset valuation contractors were in the process of being updated, and enhancements have been made to\nthe LCT Model to improve security and the validation of data inputs. In addition, more robust procedures\nhave been implemented over the development and testing of the LCT Model to include improved\ndocumentation and approval for LCT Model changes and the related testing processes.\n\nRecommendations, Management Comments, and OIG Evaluation\nBDO recommended that the FDIC update the Resolutions Policy Manual and Least Cost Test Manual and\nimprove the franchise marketing process by establishing adequate information security controls to ensure\nthe completeness, accuracy, and integrity of the data that is ultimately submitted to the FDIC Board of\nDirectors. BDO also recommended improving the bidding process by establishing procedures for the\ndocumentation of the FDIC\xe2\x80\x99s approval of potential bidders. In addition, BDO recommended\n\n3\n The LCT Model determines the liquidation value of the failing institution and compares the bids to the liquidation\nvalue and to each other.\n\n\n\n\n                             To view the full report, go to www.fdicig.gov/2011reports.asp\n\x0c   Executive Summary\n                                     The FDIC\xe2\x80\x99s Franchise Marketing of AmTrust\n                                     Bank\n                                                                                         Report No. AUD-11-005\n                                                                                                    March 2011\n\nenhancements related to the methodology and assumptions used in the asset valuation process that would\nimprove the consistency of information provided and help ensure the reliability of the valuation of the\nfailing bank\xe2\x80\x99s assets. Finally, BDO recommended that DRR coordinate with DOA to improve contract\nadministration by establishing procedures to ensure that contractor confidentiality agreements are\ncompleted and documented for contractors involved in the resolution process. The FDIC concurred with\nthe nine recommendations. The FDIC\xe2\x80\x99s planned and completed actions are sufficient to resolve all the\nrecommendations.\n\n\n\n\n                         To view the full report, go to www.fdicig.gov/2011reports.asp\n\x0cFederal Deposit Insurance Corporation                                                              Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                               Office of Inspector General\n\n\nDATE:                                     March 3, 2011\n\nMEMORANDUM TO:                            Bret D. Edwards, Acting Director\n                                          Division of Resolutions and Receiverships\n\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  The FDIC\xe2\x80\x99s Franchise Marketing of AmTrust Bank\n                                          (Report No. AUD-11-005)\n\n\nThe subject final report is provided for your information and use. Please refer to the Executive\nSummary, included in the report, for the overall audit results. Our evaluation of the Division of\nResolutions and Receiverships response is incorporated into the body of the report. We have\ndetermined that management\xe2\x80\x99s corrective actions are sufficient to resolve the recommendations.\nThe recommendations will remain open for reporting purposes until we have determined that\nagreed-to corrective actions have been completed and are responsive.\n\nIf you have questions concerning the report, please contact me at (703) 562-6350 or Lisa\nConner, Audit Manager, at (972) 761-2297. We appreciate the courtesies extended to the audit\nstaff.\n\nAttachment\n\ncc: Stephen K. Trout, DRR\n    Arleas Upton Kea, DOA\n    Daniel H. Bendler, DOA\n    James H. Angel, Jr., OERM\n\x0c                                    Contents\n\n\nPart I\n\n   Report by BDO USA, LLP                                    I-1\n   The FDIC\xe2\x80\x99s Franchise Marketing of AmTrust Bank\n\n\n\nPart II\n\n   Management Comments and OIG Evaluation                    II-1\n\n   Management Comments                                       II-2\n\n   Summary of Management\xe2\x80\x99s Comments on the Recommendations   II-9\n\x0c        Part I\n\nReport by BDO USA, LLP\n\x0c                                                                             Audit Report\n\n                                                                             The FDIC\xe2\x80\x99s Franchise Marketing of\n                                                                             AmTrust Bank\n\n\n                                                                            March 3, 2011\n\n\n\n\nBDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the\ninternational BDO network of independent member firms.\n\nBDO is the brand name for the BDO network and for each of the BDO Member Firms.\n\n\n\n                                                                                  I-0\n\x0c                                                                          Tel: 301-654-4900                           7101 Wisconsin Ave, Suite 800\n                                                                          Fax: 301-654-3567                           Bethesda, MD 20814\n                                                                          www.bdo.com\n\n\n\n\nMarch 3, 2011\n\nHonorable Jon T. Rymer\nInspector General\nFederal Deposit Insurance Corporation\n3501 Fairfax Drive\nArlington, VA 22226\n\n\nRe:          Transmittal of Results of the Audit of The FDIC\xe2\x80\x99s Franchise Marketing of AmTrust Bank\n             (Report No. AUD-11-005)\n\nDear Mr. Rymer:\n\nThis letter submits our final report representing the results of our performance audit of The FDIC\xe2\x80\x99s\nFranchise Marketing of AmTrust Bank in accordance with Contract Number CORHQ-09-G-0386 dated\nMarch 12, 2010. The objective of this performance audit was to assess the FDIC\xe2\x80\x99s franchise marketing\nprocess for AmTrust Bank. As part of our work, we interviewed key DRR officials responsible for the\nprocess and obtained other evidence to accomplish the audit objectives.\n\nWe conducted our performance audit in accordance with Generally Accepted Government Auditing\nStandards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objective.\n\nOverall, the franchise marketing process for AmTrust Bank was completed in accordance with the\nresolution policies, procedures, and guidelines for the franchise marketing of failed banks. We found that\nthe FDIC had implemented controls designed to ensure that the resolution of AmTrust Bank was managed\neffectively and potential losses to the DIF were minimized for AmTrust Bank\xe2\x80\x99s failure. While these\ncontrols are positive, updated and additional internal control procedures and certain control enhancements\nare warranted.\n\nWe issued a draft of this report on January 19, 2011. We subsequently met with representatives of the\nFDIC\xe2\x80\x99s Division of Resolutions and Receiverships (DRR) in Washington, D.C. and Office of Inspector\nGeneral (OIG) representatives to obtain informal feedback on the draft report. Based on the informal\nfeedback received, we made changes to the draft report that we deemed appropriate. On February 28,\n2011, the Director, DRR, provided a formal written response to our draft report.\n\n\n\n\nBDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the\ninternational BDO network of independent member firms.\n\nBDO is the brand name for the BDO network and for each of the BDO Member Firms.\n\n\n\n                                                                                  I-1\n\x0cThis performance audit did not constitute an audit of financial statements in accordance with GAGAS.\nBDO was not engaged to and did not render an opinion on the FDIC\xe2\x80\x99s internal controls over financial\nreporting or over financial management systems. BDO cautions that projecting the results of our audit to\nfuture periods is subject to the risks that controls may become inadequate because of changes in\nconditions or because compliance with controls may deteriorate. The information included in this report\nwas obtained from the FDIC on or before September 30, 2010. We have no obligations to update our\nreport or to revise the information contained therein to reflect events and transactions occurring\nsubsequent to September 30, 2010.\n\nPlease contact Tom D\xe2\x80\x99Amato at 301-634-4900 if you have any questions or comments regarding this\nreport.\n\n\n\nVery truly yours,\n\n\n\n\nBDO USA, LLP\n\n\n\n\n                                                  I-2\n\x0c                                    TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY                                                                             I-4\n\nBACKGROUND                                                                                    I-6\n\nRESULTS OF AUDIT                                                                             I-10\n\nFINDING A: FRANCHISE AND ASSET MARKETING POLICIES, PROCEDURES,                               I-10\n           AND GUIDELINES\n\n     Recommendations Related to the Franchise and Asset Marketing Policies, Procedures,\n     and Guidelines                                                                          I-14\n\nFINDING B: LEAST COST TEST MODEL                                                             I-15\n\n     Recommendation Related to Least Cost Test Model                                         I-16\n\nFINDING C: THE LEAST COST TEST RESULTS FOR AMTRUST BANK                                      I-17\n\n     Recommendations Related to the Least Cost Test Results for AmTrust Bank                 I-19\n\nFINDING D: BUSINESS INFORMATION SYSTEMS                                                      I-20\n\n     Recommendation Related to Business Information Systems                                  I-20\n\nFINDING E: CONTRACT ADMINISTRATION                                                           I-21\n\n     Recommendation Related to Contract Administration                                       I-21\n\nAPPENDIX I - OBJECTIVE, SCOPE, AND METHODOLOGY                                               I-22\n\nAPPENDIX II - GLOSSARY OF TERMS                                                              I-24\n\nAPPENDIX III - ACRONYMS USED IN THE REPORT                                                   I-26\n\nTABLES\n\n     Table 1: Status of Key Franchise and Asset Marketing Resolution Policies, Procedures,\n     and Guidelines                                                                          I-11\n\n     Table 2: Bank D Bid Compared to Amount Entered Into the LCT Model                       I-18\n\n\n\n\n                                                  I-3\n\x0cEXECUTIVE SUMMARY\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) contracted with BDO\nUSA, LLP (BDO) to conduct a performance audit of FDIC\xe2\x80\x99s franchise marketing process for AmTrust Bank,\nCleveland, Ohio. AmTrust Bank failed on December 4, 2009. To protect depositors, the FDIC entered into a\nPurchase and Assumption (P&A) Agreement 1 with New York Community Bank (NYCB) to purchase $9.2\nbillion in assets and assume all deposits totaling $8.3 billion from AmTrust Bank. Within the FDIC, the\nDivision of Resolutions and Receiverships (DRR) is responsible for the resolution of failed financial\ninstitutions, including the marketing of the failed institution and coordinating the transition of the failed bank to\nthe acquiring institution upon failure. The franchise marketing process involves collecting information on the\nassets, liabilities, and franchise value of a failing insured depository institution, developing and implementing\nmarketing strategies, soliciting and accepting bids for the sale of the institution, determining which bid is least\ncostly to the Deposit Insurance Fund (DIF), and working with acquiring institutions through the failing\ninstitution closing process. The P&A Agreement with NYCB was determined to be the least costly resolution\nstrategy for AmTrust Bank and resulted in an estimated savings of $1.6 billion over the cost of liquidation of the\nfailed bank.\n\nThe objective of this performance audit was to assess the FDIC\xe2\x80\x99s franchise marketing process for AmTrust\nBank. As part of our work, we interviewed key DRR officials responsible for the process and obtained other\nevidence to accomplish the audit objectives. Our audit work covered DRR compliance with the FDIC\xe2\x80\x99s\npolicies, procedures, standards, and guidelines during the franchise marketing process of AmTrust Bank. A\ndetailed discussion of our objective, scope, and methodology is included in Appendix I of this report. The\nprimary criteria for the performance audit are the FDIC DRR policies, procedures, standards, and guidelines for\nthe franchise marketing of failed banks, primarily included in the Resolutions Policy Manual (RPM) 2 and the\nLeast Cost Test (LCT) Manual.\n\nOverall, the franchise marketing process for AmTrust Bank was completed in accordance with the resolution\npolicies, procedures, and guidelines for the franchise marketing of failed banks. We found that the FDIC had\nimplemented controls designed to ensure that the resolution of AmTrust Bank was managed effectively and\npotential losses to the DIF were minimized for AmTrust Bank\xe2\x80\x99s failure. While these controls are positive,\nupdated and additional internal control procedures and certain control enhancements are warranted.\nSpecifically, the RPM and the LCT Manual contain outdated information, and certain control procedures were\nnot followed in marketing AmTrust Bank. Consequently, information related to liquidation costs was\ninaccurate, and the bidding process and the least costly resolution determination process were incomplete.\nFurther, internal controls related to information technology and the segregation of duties were inadequate to\nensure the confidentiality and integrity of this information.\n\nThe DRR franchise marketing process could be improved by establishing procedures and controls for the review\nof the LCT Model 3 to ensure completeness and accuracy and integrity of the data that is ultimately submitted to\n\n1\n  A P&A transaction occurs when a healthy institution (generally referred to as the acquiring or assuming institution)\npurchases some or all of the assets of a failed bank or thrift and assumes some or all of the institution\xe2\x80\x99s liabilities, including\ninsured deposits.\n2\n  DRR Circular 7100.1, The Resolutions Policy Manual, issued October 15, 2004, reaffirms the RPM, which contains the\npolicies and guidelines that apply to all staff in the Franchise and Asset Marketing Branch in both Washington, D.C., and\nDallas, Texas. These policies and guidelines encompass the resolution process for a potentially failing financial institution\nup to the date the institution fails.\n3\n  The LCT Model determines the liquidation value of the failing institution and compares the bids to the liquidation value\nand to each other.\n\n\n                                                               I-4\n\x0cthe FDIC Board of Directors. DRR could improve the bidding process for acquiring institutions by establishing\nprocedures for the documentation of regulatory approval of potential bidders. Further, enhancements related to\nthe methodology and assumptions used in the asset valuation process would improve the consistency of\ninformation provided and ensure the reliability of the valuation of the failing bank\xe2\x80\x99s assets. Additionally, DRR\ncould improve contract administration by establishing procedures to ensure that confidentiality agreements from\ncontractors are maintained.\n\nTaken together, these deficiencies can lead to increased cost to the DIF as a result of inaccurate and incomplete\ninformation for the franchise marketing process. During and subsequent to the performance of our audit, DRR\nbegan remediating some of the findings discussed in this report. Specifically, the DRR RPM, job aids, and\ninstructions to the valuation contractors were in the process of being updated, and enhancements have been\nmade to the LCT Model to improve security and the validation of data inputs. In addition, more robust\nprocedures have been implemented over the development and testing of the LCT Model to include improved\ndocumentation and approval for LCT Model changes and the related testing processes.\n\nWe performed this audit from April 2010 through September 2010 in accordance with the Generally Accepted\nGovernment Auditing Standards (GAGAS) issued by the Comptroller General of the United States and with\naudit policies and procedures established by the FDIC OIG. Those standards require that we plan and perform\nthe audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective. Additionally, we used the Government Accountability Office\xe2\x80\x99s\n(GAO) November 1999 publication Standards for Internal Control in the Federal Government as a guide for\nperforming the audit. The Glossary in Appendix II contains definitions of the terms used in this report, and\nAppendix III contains a listing of acronyms used in the report.\n\nThis performance audit did not constitute an audit of financial statements in accordance with GAGAS. BDO\nwas not engaged to and did not render an opinion on the FDIC\xe2\x80\x99s internal controls over financial reporting or\nover financial management systems. BDO cautions that projecting the results of our audit to future periods is\nsubject to the risks that controls may become inadequate because of changes in conditions or because\ncompliance with controls may deteriorate.\n\n\n\n\n                                                        I-5\n\x0cBACKGROUND\n\nFDIC Mission\n\nThe FDIC is an independent agency created through the Banking Act of 1933. Its mission is to contribute to the\nstability and public confidence in our nation\xe2\x80\x99s financial system by insuring deposits, examining and supervising\nfinancial institutions, and managing receiverships. In its role as federal deposit insurer, and in cooperation with\nthe other federal and state regulatory agencies, the FDIC promotes the safety and soundness of insured\ndepository financial institutions by identifying, monitoring, and addressing risks to the DIF.\n\nA key aspect of the FDIC mission is to plan and effectively handle the resolution of failing FDIC-insured\ninstitutions and to provide prompt, responsive, and efficient administration of failed financial institutions in\norder to ensure that insured depositors are protected and to minimize losses to the DIF. The FDIC Board of\nDirectors has delegated significant authority to the Director DRR to conduct the activities required to resolve a\nfailing institution in the least costly manner and manage the resulting receivership. To minimize the negative\nfinancial effects of failing and failed insured financial institutions on the DIF, DRR uses the least costly\nresolution method to resolve institutions. DRR\xe2\x80\x99s Franchise and Asset Marketing Branch (FAMB) should\nresolve the troubled institution and sell assets in the manner that results in the least cost and highest recovery to\nthe FDIC\xe2\x80\x99s insurance funds and other creditors of the failed institution.\n\nOverview of AmTrust Bank\n\nOn June 23, 2009, the FDIC Board of Directors approved a failing bank case for AmTrust Bank. On\nDecember 4, 2009, the Office of Thrift Supervision (OTS) closed AmTrust Bank, a federally chartered thrift\ninstitution established in 1921, and appointed the FDIC receiver. At closing, AmTrust Bank had a total of\n66 branches in Ohio, Florida, and Arizona and had total assets of approximately $13.0 billion and total deposits\nof approximately $8.3 billion. Prior to the bank closing, the Director, DRR, by authority of the FDIC Board of\nDirectors, approved an all-deposit modified whole bank P&A bid with loss share4 from NYCB, Westbury, New\nYork, as the least costly transaction on November 25, 2009. On November 25, 2009, the Director approved the\nwinning bid, which was selected from 14 bids received from 5 bidders. DRR Washington received the bids and\na bid summary report from DRR in Dallas. These bids were compared to the liquidation cost of AmTrust Bank\nas well as to the other bids to determine the least costly resolution. The DRR analysis of the bids ranged from a\ncost of about $2.2 billion to over $5 billion to the DIF.\n\nUnder the P&A Agreement, NYCB assumed all of the deposits of AmTrust Bank and purchased approximately\n$9.2 billion in assets of AmTrust Bank at a discount of $425 million. The P&A Agreement also included a loss-\nshare transaction on approximately $6.3 billion of the $9.2 billion in assets purchased by NYCB. In addition,\nthe FDIC acquired a value appreciation instrument valued at $10.7 million and transferred to NYCB all\nqualified financial contracts to which AmTrust Bank was a party. NYCB\xe2\x80\x99s acquisition of all the deposits and\ncertain assets was deemed the least costly resolution for the DIF compared to alternatives. The FDIC estimated\nthat the costs to the DIF of the NYCB acquisition would be approximately $1.6 billion less than if the bank had\nbeen liquidated, meaning that the FDIC makes a payout to all insured depositors and liquidates the assets taken\ninto receivership.\n\n\n\n4\n Under loss sharing agreements, the FDIC agrees to absorb a portion of the loss on a specified pool of assets, purchased by\nan acquiring institution from a failed bank, in order to maximize asset recoveries and minimize FDIC losses by keeping the\nassets in the private sector. The agreements are also intended to minimize disruption of loan customers.\n\n\n                                                           I-6\n\x0cThe FDIC retained approximately $3.8 billion of assets, consisting mainly of acquisition, development, and\nconstruction loans and non-performing loans for later disposition. The FDIC estimated the cost of AmTrust\nBank\xe2\x80\x99s failure to the DIF would be $2.2 billion.\n\nOverview of the Franchise and Asset Marketing Process\n\nThe FDIC Improvement Act of 1991 5 (FDICIA) included a provision that requires the FDIC to use the least\ncostly alternative for the deposit insurance fund when resolving a failing institution. Under the FDICIA, the\nFDIC must analyze all bids received and provide to the FDIC Board of Directors a comparison of those bids in\nrelation to the liquidation of the failing institution. The winning bid is selected by comparing all bids and\nchoosing the one with the least cost to the DIF.\n\nThe FDIC Board of Directors authorizes DRR, through the approval of the failing bank case, to evaluate\nalternative methods for resolving a failing institution, using reasonable and prudent business judgment. DRR\nresponsibilities for resolving failing financial institutions includes the marketing of the failing institution and\ncoordinating the transition to an acquiring institution if the institution fails. The FAMB\xe2\x80\x99s resolution specialists\nin Washington, D.C., and in the Field Operations Branch in Dallas, Texas, perform resolution responsibilities.\nThe responsibility is administered through the resolution and receivership processes.\n\nThe resolution process involves collecting information on the assets, liabilities, and franchise value of a failing\ninsured depository institution, developing marketing strategies, soliciting and accepting bids for the sale of the\ninstitution, determining which bid is least costly to the DIF, and working with acquiring institutions through the\nclosing process.\n\nThe receivership process involves performing the closing function at the failed institution; liquidating any failed\ninstitution assets not purchased by the acquiring institution; and distributing any proceeds of the liquidation to\nthe failed institution\xe2\x80\x99s customers who had uninsured deposit amounts and, if there are sufficient funds, to other\ncreditors, with approved claims.\n\nThe goals of the resolution and receivership processes are to:\n\n\xe2\x80\xa2   Provide depositors timely access to their insured funds.\n\xe2\x80\xa2   Resolve failing institutions in the least costly manner.\n\xe2\x80\xa2   Manage receiverships to maximize net return in order to fulfill the FDIC\xe2\x80\x99s statutory obligation to all\n    creditors of the receivership. 6\n\nThe RPM defines the overall resolution policies and general procedures. Related manuals, such as the LCT\nManual, contain detailed instructions for specific resolution tasks. The procedures described in the RPM apply\nto typical resolution activities such as planning and preparing for the resolution project, preparing the\ninformation package, conducting the asset valuation review, marketing the failing institution to qualified\nbidders, and selecting the winning bid. Personnel may be required to use tools and methods not specified in the\nRPM; however, any deviations from the RPM must be thoroughly documented. The LCT Manual provides\n(1) procedures for performing the LCT as a method to analyze and compare bids submitted for failing\n\n\n5\n  The FDIC Improvement Act of 1991 mandated a least-cost resolution method and prompt resolution approach to problem\nand failing banks.\n6\n  The Federal Deposit Insurance Act, 12 United States Code (U.S.C.) 1823 (d) (3) requires the Corporation to maximize the\nnet-present-value return from the sale or disposition of such asset and minimize the amount of any loss realized in the\nresolution of cases.\n\n\n                                                          I-7\n\x0cinstitutions and (2) detailed descriptions on the use of the LCT Model to determine the least costly resolution of\na failing institution.\n\nThe FDIC normally begins its formal resolution process upon contact from the troubled institution\xe2\x80\x99s chartering\nauthority, advising the FDIC of the bank\xe2\x80\x99s expected failure. Once the FDIC receives notification, the FDIC\ncoordinates with the primary federal regulator of the failing institution to obtain information on the institution\xe2\x80\x99s\nassets and liabilities to support the Failing Bank Board Case (Board Case).7 FDIC staff contact the chief\nexecutive officer of the failing institution to discuss logistics, address senior management\xe2\x80\x99s involvement in the\nresolution activities, and request loan and deposit data from the institution or its data processing servicer.\n\nAfter the FDIC receives the requested information from the failing institution, the Marketing Specialist (MS)\nbegins developing the marketing strategy 8 by analyzing the failing institution\xe2\x80\x99s value based on the:\n\n\xe2\x80\xa2   types and quality of assets and liabilities in the information provided by the institution;\n\xe2\x80\xa2   location of the banking facilities, local competition, economic conditions, and causes of failure;\n\xe2\x80\xa2   extent of the problems per the primary federal regulator, failing institution liquidity, stability of its core\n    deposits and deposit mix, institution\xe2\x80\x99s leases to identify any impediments to marketing them; and\n\xe2\x80\xa2   any other attribute that may add to the franchise value.\n\nThe MS will then determine the type of marketing to offer to potential acquirers. The FDIC\xe2\x80\x99s primary\nmarketing strategy is a whole bank P&A with or without loss share. Once the marketing strategy is approved by\nDRR management, a team of FDIC resolution specialists may visit the institution to gather additional\ninformation. The FDIC then values assets of the institution, determines the resolution options to be offered, and\nprepares an information package for potential bidders to access through a secured Website. Based on\nrecommendations by the Director, DRR, the FDIC Board of Directors approves the resolution options to be used\nfor the failing institution.\n\nOnce the necessary information has been gathered and possible resolution options are approved, the FDIC\nbegins marketing the failing institution as widely as possible to encourage competition among prospective\nbidders. A list of prospective bidders, which are primarily existing financial institutions, is assembled based on\ninitial criteria that include a prospective bidding institution\xe2\x80\x99s overall condition, size, and capital level; business\nplan; geographic market; and minority-owned status. The FDIC also considers the institution\xe2\x80\x99s safety and\nsoundness rating, as well as the ratings pertaining to information technology, anti-money laundering, consumer\ncompliance, and community reinvestment. The resulting list of potential bidders will then be notified of a\npotential acquisition opportunity. Private investors that do not already control a bank charter may become\npotential bidders if they obtain clearance from a chartering authority, satisfy any holding company requirements,\nand are in the process of obtaining deposit insurance.\n\nAfter executing a confidentiality agreement with the FDIC, all qualified bidders gain access to the information\npackage on a secure Website, which includes financial data on the institution, legal documents, descriptions of\nthe resolution options being offered, the due diligence process, and the bidding process. The FDIC bidding\noptions available to bidders typically include an option to assume only insured deposits or all deposits.9\n\n7\n  The Failing Bank Board Case is jointly prepared by the DRR and Division of Supervision and Consumer Protection\n(DSC) and presented to the FDIC Board of Directors. The main purpose of the Board Case is to delegate authority to the\nDRR to resolve the bank. Effective February 13, 2011, DSC was renamed the Division of Risk Management Supervision\n(RMS).\n8\n  The overall goal of marketing the institution is to develop and analyze a variety of marketing options to arrive at a strategy\nthat encourages competition among potential acquirers and results in the least costly resolution of the failing institution.\n9\n  These are customer accounts that are held by the failing institution.\n\n\n                                                              I-8\n\x0cAdditionally, the FDIC advises the bidders about the types and amounts of assets that could pass to an acquiring\ninstitution; the assets the FDIC plans to retain; the terms of the asset sale, such as loss share agreements and\noptional asset pools;10 and other significant conditions that are part of the proposed resolution method.\n\nInterested bidders may also perform on-site due diligence, coordinated and monitored by the FDIC, to inspect\nthe books and records of the failing institution for assessing the value of the franchise. This process ensures that\neach bidder is well informed about the circumstances of the failing institution. Bidders submit their proposal(s)\nto the FDIC by a specific bid deadline, which is generally 1 week prior to the scheduled closing. Bids consist of\ntwo parts: (1) the premium the bidder is willing to pay for the failing institution\xe2\x80\x99s deposits, and (2) the amount\nthe bidder is willing to pay to acquire the failing institution\xe2\x80\x99s assets.\n\nThe FDIC analyzes all bids to determine whether they conform to the bidding instructions and assesses the cost\nof each bid to the DIF. The FDIC determines the least costly resolution transaction by evaluating all possible\nresolution alternatives and computing costs on a net-present-value basis. The FDIC is required by law11 to use a\nrealistic discount rate and document any assumptions used in the evaluation, including any assumptions related\nto interest rate, asset recovery rates, asset holding costs, and payment of contingent liabilities. The least costly\ndetermination and the Cost Test Summary (CTS) are included in the Bid Approval Memo (BAM).\n\nOnce the least costly resolution is determined and approved, the FDIC notifies the successful acquiring\ninstitution, all unsuccessful bidders, and the acquiring institution\xe2\x80\x99s chartering authority. The acquiring\ninstitution\xe2\x80\x99s chartering authority, the RMS, and the primary federal regulator make the final regulatory decisions\nabout the transaction to ensure the winning bidder meets all necessary regulatory capital requirements. The\nFDIC then arranges for the acquiring institution to sign the appropriate legal documents before the institution\xe2\x80\x99s\nclosure.\n\nThe chartering authority closes the institution and appoints the FDIC as receiver. The FDIC, as receiver, then\nbegins settling the closed institution\xe2\x80\x99s affairs. Generally, this includes balancing the accounts of the institution\nimmediately after closing, transferring certain assets and liabilities to the acquiring institution, and determining\nthe payment due to the acquiring institution, if any.\n\nIn a P&A transaction, the acquiring institution usually reopens the failed institution the next business day, with\nthe customers of the failed institution automatically becoming customers of the acquiring institution with access\nto their insured deposits (or all deposits, depending on the nature of the transaction). If the FDIC cannot arrange\nfor an acquiring institution to assume the insured deposits, the FDIC will take steps to give insured depositors\naccess to their funds as soon as possible. In some cases, the FDIC will arrange for insured depositors to be paid,\nusually by check or through a paying agent (such as another insured institution).\n\n\n\n10\n   Under certain transaction structures, the FDIC will segregate assets of the failing institution into pools, each containing\nsimilarly situated assets. The prospective acquiring institution may submit a bid to purchase one or more of the pools,\nspecifying the price bid for each pool to be acquired.\n11\n   The Federal Deposit Insurance Act, 12 U.S.C. 1823 (c)(4) requires the Corporation to (i) evaluate alternatives on a\npresent-value basis, using a realistic discount rate; (ii) document the evaluation and the assumptions on which that\nevaluation is based; (iii) retain such documentation for not less than 5 years; (iv) treat Federal tax revenues that the United\nStates Government would forego as the result of a proposed transaction, to the extent reasonably ascertainable, as if such\nrevenues were foregone by the relevant deposit insurance fund; (v) determine the costs of providing any assistance and the\ncosts of liquidation as of the dates prescribed in subparagraph (C) of Section 13(c)(4); and (vi) determine the cost of\nliquidating any insured depository institution in default, for purposes of comparing such cost with the costs of providing\nany assistance, in the manner prescribed in subparagraph (D) of Section 13(c)(4).\n\n\n\n                                                             I-9\n\x0cRESULTS OF AUDIT\nFINDING A: FRANCHISE AND ASSET MARKETING POLICIES, PROCEDURES, AND\nGUIDELINES\n\nOverall, the franchise marketing process for AmTrust Bank was completed in accordance with the resolution\npolicies, procedures, and guidelines for the franchise marketing of failed banks. We found that the FDIC had\nimplemented controls designed to ensure that the resolution of AmTrust Bank was managed effectively and\npotential losses to the DIF were minimized for the AmTrust Bank failure. While these controls are positive,\nadditional internal control procedures for the process and certain control enhancements are warranted.\nSpecifically:\n    \xe2\x80\xa2   The RPM and the LCT Manual contain outdated information and procedures. As a result, the RPM and\n        LCT Manual did not reflect new systems or roles and responsibilities used in determining the least\n        costly resolution strategy. DRR should update the RPM and LCT Manual where appropriate. Table 1,\n        below, shows when DRR\xe2\x80\x99s policies, procedures, and guidelines for franchise marketing were last\n        updated.\n    \xe2\x80\xa2   DRR relied on the expertise of its contractors to develop asset valuation assumptions and on the\n        experience of its employees to follow appropriate policies, procedures, and guidelines during the\n        process. DRR did not provide sufficient guidance for the methodology and assumptions used by its\n        contractors for the AmTrust Bank asset valuation to ensure consistency with other bank failure\n        information and did not document the review process over the asset valuation report.\n    \xe2\x80\xa2   The MS did not obtain documented approval from the regulators (FDIC, OTS, and Office of the\n        Comptroller of the Currency (OCC)), as required by the RPM, for two of the five bids received for\n        AmTrust Bank.\n    \xe2\x80\xa2   The liquidation values of the premises and equipment, securities, accrued interest, prepaid expenses and\n        other assets of AmTrust were based on historical bank failure data. The liquidation values can be\n        unreliable if the manual does not reflect current financial statistical data. In the case of AmTrust Bank,\n        the historical bank failure data was applied to about $1.3 billion of the $13.0 billion (9.7 percent) total\n        assets of AmTrust Bank.\nGAO\xe2\x80\x99s Standards for Internal Controls in the Federal Government states that policies and procedures are an\nintegral part of an organization\xe2\x80\x99s operations and are a key control for ensuring that management\xe2\x80\x99s directives are\ncarried out. In addition, Circular 4010.3, FDIC Enterprise Risk Management System, dated as of September 25,\n2006 requires divisions and offices to maintain current policies and procedures. Without current policies and\nprocedures, the FDIC has less assurance that its franchise marketing process is being implemented consistently,\nin accordance with management\xe2\x80\x99s direction, and produces an accurate result with the least costly resolution to\nthe DIF.\n\n\n\n\n                                                       I-10\n\x0cTable 1: Status of Key Franchise and Asset Marketing Resolution Policies, Procedures, and Guidelines\n                      Policies, Procedures, and Guidelines                            Last Updated\nRPM\n    1. Planning and Preparing for the Resolution Project                                 January 2006\n    2. Preparing the Information Package and Conducting the Asset Valuation              October 2004\n       Review\n    3. Marketing the Failing Institution                                                 October 2004\n    4. Selecting Bids                                                                    October 2004\n\nLCT Manual                                                                               May 2008\nSource: BDO analysis of the DRR\xe2\x80\x99s RPM and LCT Manual.\n\n\n\nResolutions Policy Manual\n\nThe RPM provides procedures and guidelines for typical resolution activities. However, the RPM does not\nreflect current statutory definitions, information system references, and roles and responsibilities related to the\nfour key resolution functions noted in Table 1. As a result, the RPM procedures and guidelines could not be\nfollowed in all cases for the franchise marketing of AmTrust Bank and are not applicable to DRR\xe2\x80\x99s current asset\nmarketing process.\n\nDRR did not provide sufficient guidance related to the AmTrust Bank asset valuation contractor regarding\nwhich methodology and assumptions to use to ensure consistency with other bank failure information and did\nnot document the review process over the asset valuation report. The valuation contractor was engaged by DRR\nto perform a valuation of the AmTrust Bank loan portfolio and the AmTrust Bank mortgage servicing rights.\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government states that policies and procedures are an\nintegral part of an organization\xe2\x80\x99s operations and a key control for ensuring that management\xe2\x80\x99s directives are\ncarried out. Further, the standards state that internal control should be designed to assure that ongoing\nmonitoring occurs in the course of normal operations. Monitoring controls include regular management and\nsupervisory activities. DRR relied on the expertise of its contractors to develop asset valuation assumptions and\nthe experience of its employees to determine report review activities over the valuation contractor\xe2\x80\x99s report. The\nasset valuation review report is used to determine values for asset pools to be offered in a resolution and is\ninstrumental in determining the least cost resolution for the institution. The internal control review procedures\nshould be completed and should include a review of the asset valuation methodologies used by the contractor.\nWithout consistent approaches to the preparation and review of the asset valuation report, DRR has increased\nthe risk that the least costly transaction will not be properly determined.\n\nControls related to documenting regulatory bid approval of all bidders for AmTrust Bank could be improved.\nSpecifically, the MS did not obtain documented approval from the regulators (FDIC, OTS, and OCC), as\nrequired by the RPM, for all the bids received for AmTrust Bank. DRR received bids from five banks for\nAmTrust Bank, but documentation of regulatory approval was available for only three banks. The MS receives\nthe regulators\xe2\x80\x99 approvals for received bids either through email or telephone conversations. The absence of\ndocumentation of regulatory approval can result in a bidder that does not meet the bidder qualifications.\n\n\n\n\n                                                        I-11\n\x0cThe paragraphs below describe our audit results related to three of the four key resolution functions.\n    Planning and Preparing for the Resolution Project\n\n    The RPM refers to the Bank Insurance Fund and the Savings Association Insurance Fund; however, these\n    funds have been replaced by the DIF. In addition, certain roles and responsibilities within the RPM are\n    either outdated or no longer applicable, such as the Risk Analysis and Value Estimation (RAVEN) operator.\n\n    Preparing the Information Package and Conducting the Asset Valuation Review\n\n    The RPM refers to the RAVEN system, a program used to assist in the preparation of the Information\n    Package and Asset Valuation Review, that is no longer in use by DRR.\n    The FDIC now uses valuation contractors extensively for failing bank asset valuations. While an asset\n    valuation review report was obtained for AmTrust Bank, enhancements to the internal controls over the\n    contractor valuation process could provide for the consistency of the valuation methods within DRR. For\n    AmTrust Bank, the contractor was not required to follow asset valuation assumptions and methodologies\n    consistent with other failing bank valuations. RPM Chapter III, Conducting the Asset Valuation Review,\n    contains asset valuation review procedures and processes. The RPM does not contain specific\n    methodologies to be followed by DRR. According to the RPM, assumptions should be based on actual\n    liquidation practices and experience in the location of the failing institution\xe2\x80\x99s assets. The FAMB Analysis\n    and Evaluation Section provides benchmark data for loans in the National Assumptions Reference Library\n    (NARL), located on the FDIC Intranet. The valuation contractor should use the NARL to determine\n    whether additional or local assumptions are needed for a specific institution\xe2\x80\x99s assets. The task order issued\n    to the valuation contractor did not require use of the guidance in the RPM.\n    The RPM states that it may be necessary for the FDIC to hire a contractor to provide valuations for complex\n    assets or assets for which the FDIC does not have the valuation expertise or technology. Utilizing outside\n    contractors raises the risk of inconsistency in valuation methodologies, sources of information, and\n    assumptions used in determining asset values among contractors if such requirements for consistency are\n    not explicitly stated in the contractor\xe2\x80\x99s statement of work. Further, different valuation contractors engaged\n    to perform various asset or liability valuations could have differing procedures or processes in place to\n    determine the valuations and derive their support from different sources. Consistent methodology would\n    improve DRR\xe2\x80\x99s assurance that the contractor valuations can be relied upon to accurately reflect asset values\n    during the franchise marketing process.\n    DRR did not document its review of the asset valuation report received from the valuation contractor. RPM\n    Chapter III, Conducting the Asset Valuation Review, requires an asset valuation review. However, the\n    review process outlined in the RPM is outdated and references systems, documents, and job aids that are no\n    longer being used. DRR developed an unofficial asset valuation report review checklist to document review\n    procedures over work performed by asset valuation contractors but did not complete the checklist for\n    AmTrust Bank. The completion of a review checklist is an important control function to help ensure that\n    the contractor\xe2\x80\x99s report meets DRR requirements.\n\n\n\n\n                                                       I-12\n\x0c     Selecting Bids\n\n     DRR did not have documented regulatory approval for 2 of the 5 banks that submitted a total of 14 bids for\n     AmTrust Bank. The RPM, section V.1, and section 22 of the Marketing Coach Job Aid state that the MS\n     must obtain regulatory approval for the bids received. We found that, in practice, the MS obtains approval\n     for bidders from the appropriate regulator of each potential bidder either orally or in written communication.\n     For AmTrust Bank, the MS obtained documented approval of three banks through email from the regulatory\n     agencies and received oral approval (by telephone) for the other two banks, but documentation of that\n     communication was unavailable for our review.\n     Compensating controls exist that would prevent this lack of documentation of approval from the regulators\n     leading to the award of a bid to a bank that was not approved. However, this lack of documentation can lead\n     to a bank that was not approved and does not have the proper liquidity and capital requirements12 bidding on\n     the assets of the failing institution.\n\n\nIn addition, the manual has not been updated to reflect recent regulatory changes associated with the Dodd-\nFrank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act),13 which will eliminate the OTS, and\nany reference to the OTS will need to be removed from the policy. Up-to-date policies, procedures, and\nguidelines are an important internal control for ensuring that processes are repeatable and consistent. Further,\ndisciplined policies help reduce operational risk associated with changes in staff, use of term employees, and\ncontractor personnel.\n\nLeast Cost Test Manual\n\nThe LCT Manual provides a detailed description of procedures to determine the least costly resolution of a\nfailing institution. However, the LCT Manual did not reflect the current DRR business model, liquidation value\ndetermination, roles and responsibilities, and statutory requirements. As a result, the LCT Manual procedures\nand guidelines could not be followed in all cases for determining the least costly resolution of AmTrust Bank.\n\nThe LCT Manual establishes a process for using the LCT Model and determining the least costly resolution of a\nfailing institution. The financial information is also used in the Board Case. A DRR resolution specialist in\nWashington, D.C., prepares the Board Case for the FDIC Board of Director\xe2\x80\x99s approval. The Board Case gives\nDRR authority to determine the least costly resolution of the failing institution to the DIF.\n\n\n\n\n12\n   FDIC Circular 6371.1, Bidders List Preparation and Clearance Process, dated December 20, 2004, requires that the\npotential bidders have a composite rating of 1 or 2 and possess sufficient resources in relation to the proposed acquisition.\nCircular 6371.1, also requires that the resultant institution have a Total Risk-Based Capital Ratio equal to or greater than\n8 percent, a Tier 1 Risk-Based Capital Ratio equal to or greater than 4 percent, and a management rating of 2 or better.\n13\n   The Dodd-Frank Wall Street Reform and Consumer Protection Act, dated July 21, 2010 was enacted to promote the\nfinancial stability of the United States by improving accountability and transparency in the financial system, to end \xe2\x80\x9ctoo big\nto fail,\xe2\x80\x9d to protect the American taxpayer by ending bailouts, to protect consumers from abusive financial services\npractices, and other purposes. The Dodd-Frank Act will reallocate savings and loan holding company supervision to the\nFederal Reserve, Federal savings institution supervision to the OCC, and State savings institution supervision to the FDIC.\n\n\n                                                            I-13\n\x0cThe paragraphs below describe our audit results related to the LCT Manual.\n\n     Liquidation Value Determination\n\n     The LCT Manual contains outdated loss coefficients 14 to be used in determining the liquidation values of the\n     premises and equipment, securities, accrued interest, prepaid expenses and other assets of the failing\n     institution. The liquidation values can be unreliable if the manual does not reflect current financial\n     statistical data. According to the RPM, assumptions should be based on actual liquidation practices and\n     experience in the location of the failing institution\xe2\x80\x99s assets.\n\n     Roles and Responsibilities\n\n     The LCT Manual refers to certain employees by name within DRR. The LCT Manual should refer to\n     employee position titles to ensure that the manual does not require frequent changes due to employee\n     changes.\n\n     Statutory Changes\n\n     The LCT Manual states that escrow accounts for taxes and insurance, usually found in other liabilities are\n     insured up to $100,000; however, due to the recent passage of the Dodd-Frank Act, this amount is now set at\n     $250,000. Due to the lack of frequent updates, this change has not been made to the LCT Manual. The\n     LCT Manual should reflect the latest statutory developments.\n\n\nBy updating policies and procedures, the FDIC could improve assurance that the least costly transaction is being\ndetermined consistent with management\xe2\x80\x99s direction and reliable information is provided in the Board Case for\nthe FDIC Board of Director\xe2\x80\x99s approval and the Director DRR. Up-to-date policies, procedures, and guidelines\nare an important internal control for ensuring that processes are repeatable and consistent. Further, disciplined\npolicies help reduce operational risk associated with changes in staff and use of term employees and contractor\npersonnel.\n\nRecommendations: We recommend that the Director, DRR:\n\n     1. Update the RPM and LCT Manual where appropriate. As part of this effort, define the frequency with\n        which the manuals will be reviewed for possible updates.\n\n     2. Provide instructions and guidance for methods and assumptions to be consistently used by the valuation\n        contractors.\n\n     3. Implement procedures to ensure that regulatory approval of bidders is documented and maintained.\n\n     4. Formalize a checklist for the DRR reviewer\xe2\x80\x99s use in assessing whether the asset valuation conclusions\n        reached by the valuation contractor are reasonable.\n\n\n\n\n14\n  Loss coefficients are expected losses on assets that are based on historical statistical analysis of failed banks for general\nasset categories. The current loss coefficients being used by the DRR are based on historical bank failure data from 1990 to\n2003.\n\n\n                                                             I-14\n\x0cFINDING B: LEAST COST TEST MODEL\n\nThe LCT Manual establishes a process for using the LCT Model in determining the least costly resolution of a\nfailing institution. We found that the LCT Model and its related LCT Template lack a number of important\ncontrols such as password protection to ensure the integrity of the information, documented approval of changes\nto either the program or current version of the LCT Model, and the segregation of duties between the\nprogrammer making changes to the LCT Template and the testing of those changes. Due to an increase in the\nnumber of scenarios in which the template is now being used by DRR, program changes were required for the\nleast cost test spreadsheet to include unique situations. Appropriately controlled access rights are required to\nprotect the confidentiality, integrity, and availability of the resource and all associated data. Also, the presence\nof well-constructed, frequently changed passwords is required to limit access to corporate data to only those\nusers who have a need to know the password. Maintaining the segregation of duties between the person making\nchanges to the LCT Template and the person testing the changes is required to reduce the risk of errors to the\ntemplate. Overall, the lack of internal control procedures to limit access to the LCT Model, the lack of\nsegregation of duties between the programmer making changes to the LCT Model and the testing of those\nchanges, and the lack of documentation of the approval of changes to the LCT Model could contribute to a loss\nin the integrity of the formulae within the LCT Model. These control deficiencies could lead to increased cost to\nthe DIF if the least costly resolution is not selected as a result of inaccurate information. Details on each of\nthese areas follow.\n\nPassword Protection\n\nThe LCT Template is used to create the LCT Model, which is then used by resolution specialists to enter\ninstitution and bid information and arrive at the least cost determination. The LCT Template is located on a\nspecific drive on the FDIC network, and access to the drive is limited to DRR. According to the LCT Manual,\nthe LCT Template is protected from changes and alterations by a password and can be opened only as a read-\nonly file. The read-only file is then saved to a sub-folder usually named for the failing institution. However, we\nnoted that once the template is used to create the LCT Model for each resolution, this password protection is lost\nand not reinstated to ensure the integrity of the information within the file.\n\nApproval of Changes\n\nIn accordance with the LCT Manual, suggestions for changes to the LCT Model should be directed to the point\nof contact within DRR and the Associate Director of Resolution Strategy. As stated in the LCT Manual, the\nAssociate Director should be responsible for approving all changes before they are made. Once the changes are\napproved, the point of contact within DRR will email the LCT Model changes to the programmer and the\nprogrammer\xe2\x80\x99s supervisor. The programmer must obtain the password from the point of contact before making\nchanges. The point of contact within DRR tracks the change process and tests the changes for approval. After\nthe changes are approved, the point of contact changes the password. The point of contact within DRR uses a\nspreadsheet to document all changes to the LCT Model and retains all correspondence concerning the changes.\nDue to an increase in the number of scenarios in which the template is now being used by DRR, program\nchanges were required for the least cost test spreadsheet to include unique situations.\n\n\n\n\n                                                       I-15\n\x0cSegregation of Duties over Program Changes\n\nWe found no evidence of formal documentation of the testing over program changes to ensure changes to the\nLCT Model are operating properly. The programmer had direct control over the LCT Model to make changes.\nThe lack of segregation between the development and testing of changes can affect the operation of the LCT\nModel. User testing, performed by the MS, allows for the evaluation of the functionality of the LCT Model.\nOverall, strengthening the information technology access, change, separation of duties, and approval controls\ncan help ensure the integrity of the LCT Model and the least costly decision.\n\nRecommendation: We recommend that the Director, DRR:\n\n   5. Test and update the LCT Model\xe2\x80\x99s information security access, change, separation of duties, and\n      approval controls, and implement or document that procedures established are being followed to\n      maintain integrity of controls.\n\n\n\n\n                                                    I-16\n\x0cFINDING C: LEAST COST TEST RESULTS FOR AMTRUST BANK\n\nWe reviewed the bid analysis for all bids received for AmTrust Bank and confirmed DRR\xe2\x80\x99s determination of a\nP&A Agreement with NYCB as the least costly resolution in accordance with the RPM and LCT Manual.\nHowever, controls over information entered into the LCT Model for asset valuation percentages15 and asset bid\ndiscounts could be enhanced. Specifically, the resolution specialist used incorrect percentages to value the\nassets at the then market value for eight of the asset groups. The resolution specialist rounded the asset discount\nvalue from a bid received which led to an incorrect cost determination. These errors were not detected because\nthe resolution specialist did not complete the Qualified Bidder and LCT checklists required by the RPM and\nLCT Manual, respectively. In addition, the CTS submitted to the Board of Directors or Director, DRR, could be\nenhanced to provide additional disclosure of information for decision making.\n\nDRR completed the LCT for AmTrust Bank and determined that there would be a cost of approximately\n$3.7 billion to the DIF in the event of liquidation. The cost was determined through the use of data from the\nBalance Sheet of AmTrust Bank as well as asset valuations of several asset pools and the use of loss coefficients\nbased on historical losses to the insurance funds for bank failures from 1990 to 2003. Our analysis of the asset\nvaluations identified that two components, asset valuation percentages and asset discounts, that were used to\nderive the asset valuations contained errors, as discussed below. Using incorrect asset valuation percentages and\ndiscount values could lead to increased cost to the DIF.\n\nAsset Valuation Percentage\n\nDuring our testing of data entered into the LCT Model, we noted that the specialist used incorrect asset\nvaluation percentages for eight of the asset groups. The correct asset valuation percentages were available in the\nvaluation report. The use of the correct asset valuation percentages would have decreased the estimated value of\nthe asset groups by about $85 million, resulting in a liquidation cost estimate that was about $85 million more\nthan the liquidation cost estimate used in determining the least cost resolution. Therefore, the incorrect\nvaluation percentages did not affect the least cost determination for AmTrust Bank. In addition, the specialist\nalso incorrectly calculated the estimated loss for one asset group and \xe2\x80\x9cother assets\xe2\x80\x9d by transposing a number\nwhen entering the accrued interest balance. Similar to the asset valuation percentages, the correct calculation of\nthe value of \xe2\x80\x9cother assets\xe2\x80\x9d would have increased the liquidation cost estimate. Nevertheless, the transposition\nerror did not impact the least cost determination for AmTrust Bank.\n\nThe human input errors affecting the liquidation value computation did not affect the bid information or the bid\nprocess for AmTrust Bank. The liquidation value is used to compare the cost of liquidation by the FDIC to the\ncost of the bids received. Although, the manual input errors did have a significant effect on the liquidation\nvalue, in this instance, the errors did not have an effect on the selection of the winning bid.\n\nAsset Discount Value\n\nThe resolution specialist entered a rounded instead of exact asset discount value for the bid from Bank D into\nthe LCT Model. As identified in Table 2 below, the bid received from Bank D had an asset discount value of\n$1,760,413,000. However, the resolution specialist entered an asset discount value of $1,760,000,000 when\nperforming the LCT Model. Accordingly the Bank D bid was overstated by $413,000 during the bid analysis\nprocess. In this case, the rounding error did not have an effect on the bid evaluations, winning bid selection, or\n15\n   Asset valuation percentages are based on an asset valuation review that compares the book value of assets to the\nestimated recovery values to help determine the projected net loss to the FDIC. The asset valuation percentages are used to\ndetermine the asset discount on the assets valued.\n\n\n                                                           I-17\n\x0cLCT, but using incorrect asset discount values could lead to an improper conclusion on the LCT and an\nincreased cost to the DIF.\n\nTable 2: Bank D Bid Compared to Amount Entered Into the LCT Model\nDescription                                                                                Value\n\nAsset discount value from Bank D bid                                                 $ 1,760,413,000\n\nBank D asset discount value used in LCT Model calculation                                1,760,000,000\n\nAsset discount value overstatement for Bank D bid                                    $        413,000\nSource: Analysis of Bank D Bid on AmTrust Bank.\n\n\n\nLCT and Qualified Reviewer Checklists\n\nThe asset valuation percentages and asset discount value data entry errors were not detected because the LCT\nand Qualified Reviewer checklists were not completed for AmTrust Bank, and the information in the LCT\nModel was not verified for accuracy and completeness. The RPM requires the completion of the Qualified\nReviewer checklist for each failed institution, and the LCT Manual requires that an LCT Checklist be completed\nby the specialist. According to DRR personnel, the LCT and Qualified Reviewer checklists were not completed\nbecause the resolution specialists relied on their years of experience in completing the LCT Model.\n\nThe LCT checklist is to be completed for each failing institution. For example, the checklist identifies the\nprocedures to set up and complete the LCT Model. The procedures include: copying the template file to create\nthe working LCT Model file; modifying the LCT Model file to conform with the recommended marketing\nstrategy for the failing institution\xe2\x80\x99s deposits, facilities, loan asset pools, loss share arrangements, and other\nliabilities and assets; and verifying the failing institution\xe2\x80\x99s financial data, FDIC asset valuation data, and\nindividual bid data inputs into the LCT Model. The LCT Manual requires that the resolution specialist\ncomplete, sign, and include the checklist in the failed institution\xe2\x80\x99s asset marketing file.\n\nThe LCT Manual also requires the completion of a Qualified Reviewer Checklist, which requires the qualified\nreviewer to verify and trace the information in the LCT Model to ensure the completeness and accuracy of that\ninformation. The qualified reviewer is someone within DRR who is not familiar with the failing bank case but\nknowledgeable about the resolution process. According to the LCT Manual, once the AmTrust Bank case was\nfinished and ready to be distributed to FDIC senior management, the qualified reviewer was supposed to\nconduct a review of the LCT and other components of the Board Case for consistency, clarity, and accuracy.\nThe qualified reviewer must also verify that the LCT Model has not been modified when compared to the then-\ncurrent template to ensure the integrity of the information entered into the LCT Model. The qualified reviewer\nis required to sign on the signature page of the BAM supporting the resolution recommendation.\n\n\n\n\n                                                      I-18\n\x0cCost Test Summary (CTS) and Bid Approval Memorandum\n\nThe LCT Model produces the CTS, which compares the liquidation costs to the winning bid and the second-best\nbid. The CTS is included in the BAM submitted to the Director, DRR, for approval. The AmTrust Bank BAM\nincluded a description of the failing institution; the reason for the bank failure; and a discussion of the winning\nand the second-best bids, the CTS, and a summary of all bids received. The CTS could be enhanced to provide\nadditional financial institution and bid information to facilitate decision making.\n\nSpecifically we noted the following in the AmTrust Bank CTS included in the BAM:\n\n            \xe2\x80\xa2   An amount was labeled in the CTS for deposit payout to AmTrust depositors in the state of\n                Ohio, when that amount actually represented the Ohio deposits and significant liabilities owed\n                to additional creditors, including Federal Home Loan Bank advances. This can lead to a\n                misrepresentation of the facts and the non-approval of a winning bidder by the Board of\n                Directors or their delegate.\n            \xe2\x80\xa2   Explanations were not provided for each item reported (such as Assets under Loss Share, Assets\n                Passed with no Loss Share, Assets Retained, Initial Payment, etc.) in the CTS and the summary\n                of bid information. This can lead to a misrepresentation of the facts and the non-approval of a\n                winning bidder by the Board of Directors or their delegate.\n            \xe2\x80\xa2   The format of the information presented in the CTS did not allow for a clear understanding of\n                the differences between bids and the determination of the winning bidder. For example, the two\n                top bids received included a loss share agreement; however, loss share payments were shown\n                for only one bidder, and there was no reason given for the other bidder showing a zero loss\n                share payment. Clear, distinct explanations of the information provided in the CTS will\n                enhance the effects and differences between the two highest bids for the user, whether it is the\n                Director, DRR, or the FDIC Board of Directors.\n\nOverall, errors and the lack of clear explanations and information in the CTS could lead to the selection of a bid\nthat does not represent the least loss to the FDIC.\n\nRecommendations: We recommend that the Director, DRR:\n\n    6. Implement procedures to ensure the LCT and Qualified Reviewer checklists are completed to verify the\n       completeness and accuracy of the information included in the LCT Model.\n\n    7. Expand informational disclosures to define and explain account descriptions contained in the CTS\n       included in the BAM.\n\n\n\n\n                                                       I-19\n\x0cFINDING D: BUSINESS INFORMATION SYSTEMS\n\nWhile comprehensive procedures existed for the collection and the distribution of data obtained from the failing\ninstitution during the AmTrust Bank franchise marketing process, internal control procedures could be improved\nto administer and manage access rights to database management systems.\n\nBusiness Information Systems (BIS), an organizational unit within FAMB, supports the franchise marketing\nprocess by providing data processing services related to the failing institution. The BIS professionals work\nclosely with the MS and team leader in gathering financial information related to the failing institution and\ndistributing the data to DRR secure Websites for analysis by the resolution team and valuation specialist and in\nsupporting financial institution bidding activities. The BIS professionals use contractors to assist with their\nprocedures. In accordance with FDIC Circular 4010.3, the FDIC DRR has operating procedures for BIS that are\ncurrent and appropriately documented, with reasonable controls incorporated into their procedures. However,\nenhanced management of administrative access rights would prevent the access of financial information by\nunauthorized users which could affect the integrity and accuracy of the information provided to DRR and\nbidding institutions.\n\nAccess to Databases and Systems\nThe FDIC granted an excessive number of user\xe2\x80\x99s administrative access rights to the database management\nsystem. Administrative access rights allow users to bypass many of the database management system controls\nover user activities. The FDIC granted these powerful access rights to 62 users for the structured query\nlanguage main database containing the AmTrust Bank data download. The access permissions were granted\nprimarily due to contractors being grouped together and given access as a group. In addition, the FDIC has\nestablished procedures governing the provisioning of user access accounts across all systems and databases;\nhowever, user access to the main database and SharePoint\xc2\xae Website is not rescinded in a timely manner after a\nbank closing. FDIC Directive 1360.15, Access Control for Information Technology Resources, dated\nFebruary 27, 2009, states that access controls shall be implemented whenever an information technology (IT)\nresource owner requires that access to the IT resource must be restricted to a limited set of users or that different\nusers require different types of access. Also, access to IT resources shall be provided for legitimate business use\nonly after proper authorization has been provided when required. Based on inquiries with the FDIC\xe2\x80\x99s BIS and\nDivision of Information Technology teams, we determined that the user access lists provided during the audit\nwere the same as of the date of the AmTrust Bank closing, which evidenced that no user access had been\nrescinded after the closing. Access should be removed if the job responsibilities of the user change, if the user\ntransfers to a different organization, or if the user no longer requires access for any other reason. Appropriate\nrestriction of user access rights in accordance with FDIC policy and the timely recision of user access after a\nbank closing will help prevent unauthorized data changes.\n\nRecommendation: We recommend that the Director, DRR:\n    8. Implement a pre- and post-closing procedure to evaluate all access, including administrative access\n       rights, and restrict access rights to reduce the potential for unauthorized data access changes.\n\n\n\n\n                                                        I-20\n\x0cFINDING E: CONTRACT ADMINISTRATION\nThe FDIC uses contractors to assist with asset valuation and data integrity throughout the franchise marketing\nprocess. Although the FDIC requires confidentiality agreements for contractors and their key professionals, for\nAmTrust Bank, confidentiality agreements could not be provided for two of the five key personnel identified in\nthe Basic Ordering Agreement. In addition, the FDIC could not locate the confidentiality agreement for the\nprimary contractor entity responsible for handling all the electronic data from the failing institution but executed\na new agreement on September 20, 2010, following our inquiry. The Division of Administration (DOA) is\nresponsible for the maintenance of confidentiality agreements. The missing documents can be attributed to the\nlack of procedures for tracking and maintaining confidentiality agreements. Consequently, the FDIC has less\nassurance that the contractors performing services under FDIC contracts have agreed to protecting and\nsafeguarding sensitive information.\n\nTracking and maintaining confidentiality agreements for certain contractors\nDuring our testing of contractor requirements related to the franchise marketing of AmTrust Bank, the FDIC\ncould not provide evidence that the BIS contractor company signed the required confidentiality agreement\nbefore commencement of their engagement on AmTrust Bank. The FDIC obtained a company confidentiality\nagreement after our inquiry into the existence of an agreement. In addition, there was no record of\nconfidentiality agreements, FDIC Form 3700-46, signed by the BIS contractor for two of the five key personnel\nidentified in the Basic Ordering Agreement. Signature of the contractor on Form 3700-46 acknowledges that\nthe contactor has read FDIC Circular 1360.9, Protecting Sensitive Information, dated April 30, 2007. This\ncircular documents the FDIC policy on protecting sensitive information collected and maintained by the FDIC\nand provides guidance for safeguarding the information.\nWithout completed confidentiality agreements, the FDIC cannot ensure that FDIC contractors have agreed to\nprotecting and safeguarding sensitive information as prescribed by FDIC Circular 1360.9.\n\nRecommendation: We recommend that the Director, DRR:\n    9. Coordinate with the DOA to implement procedures for the tracking and maintenance of DRR contractor\n       confidentiality agreements.\n\n\n\n\n                                                       I-21\n\x0c                                                APPENDIX I\n                                OBJECTIVE, SCOPE, AND METHODOLOGY\nObjective\n\nThe objective of this performance audit was to assess the FDIC\xe2\x80\x99s franchise marketing process for AmTrust\nBank. Specifically, we assessed the reliability of and compliance with the FDIC\xe2\x80\x99s policies, procedures,\nstandards, and guidelines for the franchise marketing of AmTrust Bank. To accomplish the objectives, BDO:\n\n    \xe2\x80\xa2   Assessed the FDIC DRR\xe2\x80\x99s franchise marketing process and program results for AmTrust Bank.\n\n    \xe2\x80\xa2   Assessed the FDIC DRR\xe2\x80\x99s overall internal control policies and general procedures for conducting the\n        overall franchise marketing process for AmTrust Bank in accordance with applicable provisions of the\n        RPM.\n\n    \xe2\x80\xa2   Assessed the FDIC DRR\xe2\x80\x99s policies and procedures for asset valuations, including the related oversight\n        and monitoring of contractors involved in the valuation of AmTrust Bank, and the review of the bank\n        valuations by the DRR valuation expert in accordance with applicable DRR guidelines.\n\n    \xe2\x80\xa2   Assessed FDIC DRR\xe2\x80\x99s policies and procedures for conducting the bidding process for AmTrust Bank in\n        accordance with applicable sections of the RPM, and Marketing Coach and Team Leader Job Aids.\n\n    \xe2\x80\xa2   Assessed FDIC DRR\xe2\x80\x99s policies and procedures for conducting the least cost test for AmTrust Bank that\n        determines the winning bid in accordance with the LCT Manual and the least costly resolution strategy\n        of AmTrust Bank to minimize the loss to the DIF.\n\n    \xe2\x80\xa2   Assessed the completeness and accuracy of the failing institution data compiled by the FDIC BIS team.\n\n    \xe2\x80\xa2   Assessed the completeness and accuracy of the BIS-generated deliverables, as well as the interfaces of\n        the deliverables throughout the resolution process.\n\nWe conducted this performance audit from April 2010 through September 2010 in accordance with GAGAS.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide\na reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit objective.\n\nScope and Methodology\n\nOur procedures covered the processes followed during the franchise marketing process of AmTrust Bank.\nSpecifically, the audit covered the following:\n\n\xe2\x80\xa2   Tested the compliance with overall internal control policies and general procedures by walkthrough\n    procedures, which included either one or a combination of inquiry, observation, verification, or re-\n    computation.\n\n\xe2\x80\xa2   Reviewed the contractor selection process, FDIC oversight and monitoring procedures of the contractors\n    utilized, user/contractor access controls for sensitive information, and the final deliverable that aligns with\n    the DRR Contractor Statement of Work.\n\n\n                                                       I-22\n\x0c\xe2\x80\xa2   Determined whether the models, methodologies, and assumptions used by the valuation contractor are in\n    accordance with FDIC guidelines, reviewed the controls over the determination of the value of AmTrust\n    Bank, evaluated the effect of uninsured depositors on the valuation process, and assessed approvals of\n    valuation deliverables and reasonability testing of the end results provided by the valuation contractor.\n\n\xe2\x80\xa2   Determined the reasonability of the values of the whole bank assets, liquidation values, and assets\n    transferred and kept within the FDIC. In addition, we reviewed the valuation of the loans and other assets\n    performed by the valuation specialist and determined the reasonability of other failed bank assets, liabilities,\n    and intangible/intrinsic values, if any, not performed by the valuation contractor.\n\n\xe2\x80\xa2   Tested the controls surrounding the LCT, including worksheets utilized in the process. Specifically, we\n    determined whether:\n        a. an LCT was conducted and performed timely;\n        b. the LCT Model is operating as designed;\n        c. the source data entered agrees to the source documents (AmTrust Bank financial data and bid\n            information);\n        d. all resolution options were considered and properly evaluated;\n        e. the documentation of evaluations and assumptions was sufficient;\n        f. the procedures and rationale for the structure of the franchise sale and pre-set resolution were sound;\n        g. the authorization of the resolution decision with the lowest-cost option was given;\n        h. the Board Case development, content, and approvals were complete;\n        i. there was a comparison to actual sale results and whether the actual loss share component results are\n            comparable to the estimate used in the valuation;\n        j. the LCT results estimate the actual impact to the DIF.\n\n\xe2\x80\xa2   Reviewed the process for the selection and approval of bidders, the exclusion of prohibited purchasers, and\n    the receipt of bidder confidentiality agreements. We reviewed the authorization for marketing AmTrust\n    Bank and determined whether the marketing strategy was developed in accordance with policies and\n    procedures and whether approvals of the marketing strategy were obtained. Additionally, we reviewed the\n    process for the establishment of the secure bidder Website, management of sensitive information, and\n    whether archiving policies were achieved.\n\n\xe2\x80\xa2   Assessed and tested controls over data retrieval, dispersion, and storage as considered necessary. This\n    includes controls over data postings to the various systems and the data integrity during the data extraction\n    and delivery process performed by DRR.\n\n\xe2\x80\xa2   Evaluated the integrity of the AmTrust Bank data imported by the FDIC BIS team and reviewed the data for\n    completeness and accuracy. Also evaluated the interfaces between the initially imported AmTrust Bank\n    data and the various secure Website destinations.\n\n\n\n\n                                                       I-23\n\x0c                                           APPENDIX II\n                                      GLOSSARY OF TERMS\nTerm                     Definition\nAsset Valuation Review   Process that estimates the value of assets to the FDIC as receiver of the failing\n                         institution. The asset valuation review compares the book value of assets to the\n                         estimated recovery values to help determine the projected net loss to the FDIC.\n\n\nBid List                 List of qualified potential acquiring institutions provided to the FAMB by the\n                         Division of Risk Management Supervision. These potential acquiring institutions\n                         are invited to bid on the failing institution.\n\n\nCall Report              Consolidated reports of condition and income submitted quarterly by an institution\n                         to the FDIC (for national and state non-member banks) or to the appropriate\n                         Federal Reserve Bank (for state member banks).\n\nConfidentiality          Agreement between the FDIC and potential acquiring institutions and contractors,\nAgreement                acknowledging the confidentiality of the failing institution\xe2\x80\x99s Information Package\n                         and other documents and procedures related to the resolution of the failing\n                         institution.\n\n\nInformation Package      Product developed by Franchise Marketing as a marketing tool, which provides a\n                         snapshot of the failing institution's assets, liabilities, and business on a specific\n                         date. It is comprised of two parts. The first part is a summary-level detail of\n                         assets and liabilities that are available for acquisition along with a summary of\n                         terms and various transactions being offered. The first part is provided to\n                         potential bidders. The second part provides specific detail of assets and liabilities,\n                         including items being excluded from the transaction. Both parts are provided to\n                         the FDIC Closing Team and other regulatory agencies to assist in preparation for a\n                         resolution.\n\n\nLeast Cost Test          An analysis of the bids received to determine the resolution alternative that will\n                         result in the least cost to the DIF.\n\n\nLeast Cost Test Manual   The Least Cost Test Manual provides a detailed description of how to use the LCT\n                         Model, which is used to determine the least costly resolution of a failing\n                         institution.\n\n\nLoss Share Agreement     An agreement entered into by and between the FDIC, as receiver for a failed\n                         institution, and an acquiring institution whereby a pool of problem assets is sold to\n                         an acquiring institution under an agreement that the FDIC will share a portion of\n                         the losses. This structure allows the FDIC to reduce the immediate cash outlays\n                         for a P&A transaction and maximize asset recoveries.\n\n\n\n\n                                                  I-24\n\x0cTerm                        Definition\nOffice of the Comptroller   Chartering agency for national banks and of the U.S. Treasury. OCC approval is\nof the Currency             required by law in connection with the organization of new national banks, the\n                            conversion of state-chartered banks into national banks, and consolidations or\n                            mergers involving national banks. In a failing bank situation, the OCC declares\n                            national banks insolvent, closes the institution, and appoints the FDIC as receiver.\n\n\nOffice of Thrift            The office within the U.S. Treasury Department that has responsibility for the\nSupervision                 overall supervision, regulation, and examination of federally chartered thrift\n                            institutions.\n\n\nOptional Asset Pools        Under certain transaction structures, the FDIC will segregate assets of the failing\n                            institution into pools containing similarly situated assets. The prospective\n                            acquiring institution may submit a bid to purchase one or more of the pools,\n                            specifying the price bid for each pool to be acquired.\n\n\nPurchase and                The agreements executed between the receiver, buyer, and seller of the failing\nAssumption Agreement        institution.\n\n\nQualified Financial         Those qualified financial contracts that are defined in 12 U.S.C. 1821(e)(8)(D) to\nContracts                   include securities contracts, commodity contracts, forward contracts, repurchase\n                            agreements, and swap agreements and any other contract determined by the FDIC\n                            to be a qualified financial contract as defined in that section.\n\n\nQualified Reviewer          Designated resolution specialist with responsibility to review the least cost\n                            determination. The qualified reviewer is someone within DRR who is not familiar\n                            with the case but knowledgeable about the resolution process.\n\n\nReceiver                    An agent (in the instance of a failed institution, the FDIC) appointed by a failed\n                            institution's primary regulator to manage the orderly liquidation of the failed\n                            institution.\n\n\nResolutions Policy          The manual focuses on the overall resolution policies and general procedures.\nManual                      Detailed instructions for specific tasks are referenced throughout the manual.\n\n\nServicing Pool              A portfolio of assets often composed of assets with similar characteristics.\n\n\nUninsured Deposits          Amounts on deposit with a financial institution that are in excess of the amounts\n                            insured by the DIF.\n\n\nValue Appreciation          A debt or equity instrument or obligation issued by an entity that entitles its\nInstrument                  holders to receive payments that depend primarily on the stock price of the entity.\n\n\n\n\n                                                    I-25\n\x0c                                  APPENDIX III\n\n                       ACRONYMS USED IN THE REPORT\n\nAcronym:   Explanation:\nBAM        Bid Approval Memorandum\nBDO        BDO USA, LLP\nBIS        Business Information Systems\nCTS        Cost Test Summary\nDIF        Deposit Insurance Fund\nDOA        Division of Administration\nDRR        Division of Resolutions and Receiverships\nDSC        Division of Supervision and Consumer Protection\nFAMB       Franchise and Asset Marketing Branch\nFDIC       Federal Deposit Insurance Corporation\nFDICIA     Federal Deposit Insurance Corporation Improvement Act\nGAGAS      Generally Accepted Government Auditing Standards\nGAO        Government Accountability Office\nIT         Information Technology\nLCT        Least Cost Test\nMS         Marketing Specialist\nNARL       National Assumptions Reference Library\nNYCB       New York Community Bank\nOCC        Office of the Comptroller of the Currency\nOIG        Office of Inspector General\nOTS        Office of Thrift Supervision\nP&A        Purchase and Assumption\nRAVEN      Risk Analysis and Value Estimation\nRMS        Division of Risk Management Supervision\nRPM        Resolutions Policy Manual\nU.S.C.     United States Code\n\n\n\n\n                                          I-26\n\x0c                Part II\n\nManagement Comments and OIG Evaluation\n\x0cMANAGEMENT COMMENTS AND OIG EVALUATION\n\n    DRR provided a written response, dated February 28, 2011, to the draft of this report.\n    Management\xe2\x80\x99s response is presented in its entirety beginning on page II-2. Management\n    agreed with the nine BDO recommendations.\n\n    A summary of management\xe2\x80\x99s comments on the recommendations begins on page II-9.\n    DRR\xe2\x80\x99s planned and completed actions are responsive to BDO\xe2\x80\x99s recommendations, and\n    all of the recommendations are resolved. The recommendations will remain open until\n    we determine that the agreed-to corrective actions have been completed and are\n    responsive.\n\n\n\n\n                                             II-1\n\x0c                                  MANAGEMENT COMMENTS\n\n\n\nFederal Deposit Insurance Corporation\n550 17th Street NW, Washington, D.C. 20429-9990                     Division of Resolutions and Receiverships\n\n DATE:            February 28, 2011\n\nTO:               Russell A. Rau\n                  Assistant Inspector General for Audits\n\n                  /Signed/\nFROM:             Bret D. Edwards, Acting Director\n                  Division of Resolutions and Receiverships\n\nSUBJECT:          Response to Draft Audit Report Entitled, The FDIC\xe2\x80\x99s Franchise\n                  Marketing of AmTrust Bank (Assignment No. 2010-032)\n\nThis memorandum is in response to the recommendations in the subject draft audit report dated\nJanuary 19, 2011.\n\nThe Division of Resolutions and Receiverships (DRR) has been working to strengthen internal\ncontrols in the Franchise Marketing process as a result of GAO\xe2\x80\x99s 2009 Financial Statement audit.\nMany of the recommendations included in the subject report are similar to those cited by GAO\nand have already been corrected or are in the process of being corrected.\n\nEarly in 2010, the Closed Bank Financial Risk Committee was established to quantify risks to\nthe insurance fund that are posed by the resolution of failed insured institutions and failed\ninstitutions\xe2\x80\x99 assets. The committee meets quarterly and is comprised of senior management from\nDRR, Division of Insurance and Research (DIR), Division of Finance (DOF) and Division of\nRisk Management Supervision (RMS). In addition, DRR created various Job Aids and\nimplemented new committees and review procedures for least cost test and asset valuations. In\nOctober 2010, a new statement of work for the asset valuation contract was issued. The new\nstatement of work provides more detail, better guidance and clearer instruction regarding\nmethodology and deliverables. An FA Asset Valuation Review Group and the Resolution\nStrategy Committee were established to enhance the quality of the valuations and to provide a\nmechanism for approving both the asset valuation and the resolution strategy developed for each\nfailing institution. In May 2010, Business Information Systems (BIS) implemented a role-based\nsecurity model for all new SharePoint sites and developed a plan to restrict the number of users\nwith administrative rights to the database management system. Beginning in July, 2010, BIS\nbegan performing periodic security reviews to reduce the number of people with access over\ntime.\n\nDRR agrees with all recommendations in the draft report and is committed to implementing the\nrecommendations in a timely manner.\n\n\n OIG Audit Recommendation 1: Update the RPM and LCT Manual where appropriate. As part\n of this effort, define the frequency with which the manuals will be reviewed for possible updates.\n\n        DRR Response: DRR agrees with this recommendation. The Resolutions Policy Manual\n        and Least Cost Test Manual have been combined (i.e. Resolution Manual) and updated.\n\n\n\n\n                                                  II-2\n\x0cII-3\n\x0cII-4\n\x0cII-5\n\x0cII-6\n\x0cII-7\n\x0cII-8\n\x0c        SUMMARY OF MANAGEMENT\xe2\x80\x99S COMMENTS ON THE RECOMMENDATIONS\n\nThis table presents management\xe2\x80\x99s response to the recommendations in the report and the status of the\nrecommendations as of the date of report issuance.\n\n\n                                                                  DRR\n Rec.                                                                        Monetary   Resolved:a   Open or\n              Corrective Action: Taken or Planned               Completion\nNumber                                                                       Benefits   Yes or No    Closedb\n                                                                  Date\n   1.     DRR agreed with the recommendation. The                March 31,      $0         Yes        Open\n          RPM and LCT Manual have been combined as                2011\n          the Resolutions Manual. DRR anticipates that\n          the Resolutions Manual will be approved by\n          March 31, 2011. The Resolutions Manual will\n          be reviewed and updated annually, if necessary.\n\n   2.     DRR agreed with this recommendation and                October        $0         Yes        Open\n          completed corrective actions in 2010. In June           2010c\n          2010, DRR formally updated the Standard Asset\n          Value Estimation (SAVE) Manual referencing\n          the use of valuation contractors and providing\n          general procedural guidance.\n\n          Initially, valuation contractors were operating\n          under contract terms that provided very broad\n          guidance regarding valuation methodology. As\n          of October 2010, asset valuation contractors\n          have been operating under new contract terms\n          that contain a more structured statement of work\n          than was previously in place. The new statement\n          of work provides more detail, better guidance,\n          and clearer instructions regarding methodology,\n          formatting, and deliverables. Contractors are\n          now required to submit specific information in a\n          multi-page spreadsheet format. In addition,\n          contractors are now required to provide detail on\n          their valuation methodology, assumptions, and\n          file review notes in the narrative portion of their\n          written report.\n\n\n\n\n                                                       II-9\n\x0c                                                               DRR\n Rec.                                                                     Monetary   Resolved:a   Open or\n             Corrective Action: Taken or Planned             Completion\nNumber                                                                    Benefits   Yes or No    Closedb\n                                                               Date\n  3.     DRR agreed with this recommendation. To              April 30,      $0         Yes        Open\n         improve the documentation supporting verbal           2011\n         confirmations received from the primary federal\n         regulators of failing institutions, DRR will\n         include additional steps in the procedures for\n         documenting regulatory approval. The MS will\n         ask the regulators to email confirmation that the\n         bidders are cleared to bid. If a confirmation is\n         not received and the regulator verbally cleared\n         the bidder, the MS will email the regulator\n         confirming the phone conversation when the\n         regulator cleared the bidder. The expected\n         completion date for updating the corresponding\n         Job Aid is April 30, 2011.\n\n  4.     DRR agreed with this recommendation and              October        $0         Yes        Open\n         completed corrective action in 2010. DRR\xe2\x80\x99s            2010c\n         response states that DRR strengthened the\n         valuation review processes beginning in June\n         2010. A Job Aid was approved in October 2010.\n         A Vertical Review Team has been established\n         that formally reviews both the spreadsheet\n         information and the narrative for each asset\n         valuation report, using a Vertical Review\n         Checklist. Approximately 100 of these\n         checklists have been reviewed and approved\n         since June 2010.\n\n         Additionally, the results of the Asset Valuation\n         Review are sent to the DRR\xe2\x80\x99s Asset Valuation\n         Review Group for review. This review includes\n         \xe2\x80\x9ca comparison with previous AVR [Asset\n         Valuation Review] results, with other valuation\n         contractors, and across geographic location,\n         looking for any outlier valuations that appear to\n         be outside normal ranges.\xe2\x80\x9d\n\n         The Vertical Review Checklist and Job Aids are\n         referenced in the updated Resolutions Manual,\n         and the Asset Valuation Review deliverables as\n         well as completed checklists are now retained in\n         the Communication, Capability, Challenge, and\n         Control (4C) System.\n\n\n\n\n                                                     II-10\n\x0c                                                               DRR\n Rec.                                                                     Monetary   Resolved:a   Open or\n             Corrective Action: Taken or Planned             Completion\nNumber                                                                    Benefits   Yes or No    Closedb\n                                                               Date\n  5.     DRR agrees with this recommendation and has          April 30,      $0         Yes        Open\n         implemented procedures to improve controls in         2011\n         this area. Procedures for accessing, changing,\n         approving, and testing over both the LCT file\n         and the Loss Share Worksheet have been\n         implemented. These procedures will be\n         documented in a new Job Aid, which is\n         scheduled to be completed by April 30, 2011.\n\n  6.     DRR agreed with this recommendation and              July 29,       $0         Yes        Open\n         completed corrective action in 2010. As a result      2010c\n         of the findings contained in the GAO\xe2\x80\x99s 2009\n         financial statement audit report, DRR\xe2\x80\x99s\n         Franchise Marketing implemented new review\n         procedures in June 2010 to verify that the LCTs\n         completed for failed banks were complete and\n         accurate. The new review procedures were\n         approved by the Deputy Director, DRR, on\n         July 29, 2010, and consist of the following:\n         (1) a peer review utilizing a Qualified Reviewers\n         Checklist; (2) the Manager, Franchise\n         Marketing, reviews 100 percent of the LCTs and\n         indicates evidence of review by signing the\n         BAM; and (3) a post-closing review by\n         Franchise Marketing staff using the Qualified\n         Reviewers Checklist.\n\n         In addition, Franchise Marketing conducted\n         post-closing reviews on all 2010 failures, using\n         the newly implemented Qualified Reviewers\n         Checklist. Any errors that are discovered during\n         the post-closing review and impact the cost to\n         the FDIC are corrected and promptly sent to the\n         FDIC\xe2\x80\x99s Division of Finance to be reflected in the\n         Corporation\xe2\x80\x99s books and records.\n\n\n\n\n                                                    II-11\n\x0c                                                                DRR\n Rec.                                                                      Monetary   Resolved:a   Open or\n             Corrective Action: Taken or Planned              Completion\nNumber                                                                     Benefits   Yes or No    Closedb\n                                                                Date\n  7.     DRR agreed with this recommendation. DRR              April 30,      $0         Yes        Open\n         stated that the descriptions contained in the CTS      2011\n         cannot be expanded, but DRR plans to provide\n         better explanation in the BAM when there are\n         account descriptions that deviate from the\n         standard transactions being offered such as with\n         nonconforming bids or as new structures are\n         being introduced into the resolution process.\n         DRR\xe2\x80\x99s response states that the Director, DRR,\n         and Board of Directors are familiar with bid\n         terms from the monthly Board Meetings and\n         routine briefings.\n\n         According to DRR, the CTS is an Excel\n         spreadsheet that is used to present the results of\n         the least cost analysis and therefore does not\n         provide the flexibility for a description of every\n         line item. Line items on the CTS that differ\n         from the standard description will be revised to\n         reflect the appropriate description, or a footnote\n         will be added to the CTS. Franchise Marketing\n         will add a step to the Bid Approval-Least Cost\n         Test Instructions Checklist that requires the\n         Analysts to expand informational disclosures\n         that define and explain account descriptions in\n         the narrative of the BAM, as deemed necessary.\n         DRR expects to complete the update to the\n         related Job Aid by April 30, 2011.\n\n\n\n\n                                                      II-12\n\x0c                                                               DRR\n Rec.                                                                     Monetary   Resolved:a   Open or\n             Corrective Action: Taken or Planned             Completion\nNumber                                                                    Benefits   Yes or No    Closedb\n                                                                Date\n  8.     DRR agreed with this recommendation.                 June 30,       $0         Yes        Open\n         According to DRR, the following changes have           2011\n         been made or are in the process of being\n         implemented to improve security.\n\n          - To aid in administration of the BIS SharePoint\n         server, DRR added a new SharePoint security\n         group with access to all standard bank project\n         data except areas containing sensitive Large\n         Bank information.\n\n          - In May 2010, BIS implemented a role-based\n         security model for all new SharePoint sites.\n         DRR\xe2\x80\x99s Business Program Management Section\n         is currently updating DRR\xe2\x80\x99s SharePoint\n         governance policy, which includes the role-\n         based security model and is expected to be\n         completed by April 30, 2011. In conjunction\n         with the implementation of role-based security\n         for SharePoint mentioned above, BIS developed\n         a plan to restrict the number of users with\n         administrative rights to the database\n         management system by creating a new role in\n         the system with access to perform specific\n         database functions. Limiting the activities the\n         new role can perform will prevent non-\n         administrative users from altering database\n         membership. DRR anticipates that the new user\n         role approach will be implemented by June 30,\n         2011.\n\n          - In July 2010, BIS began performing periodic\n         security reviews corresponding with Critical\n         Bank Project Milestones to reduce the number of\n         people with access over time. At the time of\n         each review, non-essential user access to the\n         database system and SharePoint information is\n         restricted.\n\n\n\n\n                                                    II-13\n\x0c                                                                        DRR\n Rec.                                                                                   Monetary       Resolved:a     Open or\n                 Corrective Action: Taken or Planned                  Completion\nNumber                                                                                  Benefits       Yes or No      Closedb\n                                                                         Date\n  9.        DRR agreed with this recommendation. DRR                  February 7,           $0             Yes         Open\n            noted that on September 15, 2010, DOA issued                2011c\n            policy addressing non-key personnel that is\n            consistent with the OIG\xe2\x80\x99s recommendation. The\n            policy addresses the immediate need for\n            requiring confidentiality agreements for non-key\n            personnel in situations where contractor\n            personnel were performing in high-risk roles.\n            On February 7, 2011, the Assistant Director of\n            Contract Oversight, DRR, sent a global email to\n            DRR Oversight Managers, reminding them of\n            their responsibilities regarding the request,\n            receipt, and filing of the confidentiality\n            agreements for non-key personnel.\n\n            DRR determined that improvement in DOA\xe2\x80\x99s\n            controls have addressed the OIG\xe2\x80\x99s concerns\n            regarding confidentiality agreements for\n            contractors and key personnel. With respect to\n            key personnel, the appropriate procedures for\n            tracking and maintaining contractor and key\n            personnel confidentiality agreements are the\n            responsibility of the Contracting Officer and\n            have been implemented. Furthermore, to\n            address its responsibilities, DOA hired\n            additional personnel which made significant\n            improvements to the process of uploading and\n            tracking required contract documents in the\n            Contract Electronic File.\n\n\n  a\n      Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed corrective action\n                     is consistent with the recommendation.\n                 (2) Management does not concur with the recommendation, but alternative action meets the intent of the\n                     recommendation.\n                 (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary\n                     benefits are considered resolved as long as management provides an amount.\n  b\n      Once the OIG determines that the agreed-upon corrective actions have been completed and are responsive to the\n      recommendations, the recommendations can be closed.\n  c\n      DRR comments indicate that these four recommendations have been implemented, and they will be closed once we\n      determine the corrective actions have been completed and are responsive.\n\n\n\n\n                                                             II-14\n\x0c"